On Wed, Aug 16, 2017 at 11:45 PM, Kishanthan Thangarajah < kishant...@wso2.com> wrote:
> > > On Wed, Aug 16, 2017 at 9:48 PM, Nuwandi Wickramasinghe <nuwan...@wso2.com > > wrote: > >> Hi all, >> >> With the latest IS pack built with kernel 4.4.17-SNAPSHOT, we can >> successfully turn off the hostname verification with >> *-Dhttpclient.hostnameVerifier=AllowAll*. >> > > What was the original issue? Farasath has followed the same steps (IS with > 4.4.17-SNAPSHOT) and mentioned that the above property was not working > according to the mail above. > > >> Need to do some code changes from Identity Server side to make the newly >> introduced property effective for some components. >> > > What are the code changes? This property is only used in httpclient coming > from kernel. So why changes are required at IS side? > Prior to kernel 4.4.17 there was a property *-Dorg.wso2.ignoreHostnameVerification=true *that was used to disable hostname verification. IINM, the issue here is some components use this property to disable hostname verification, but since it's that property has been removed since 4.4.17 that might be causing some issue, so they are investigating on IS side. Nuwandi / Fara - correct me if I am wrong. > > >> Since no improvement is needed from kernel side, can we please go ahead >> with the kernel 4.4.17 release? >> >> *-Dhttpclient.hostnameVerifier *is only applicable since 4.4.17, but our >> documentation says it's applicable from 4.4.10 ([1]). Better to fix the >> documentation as well. Reopened [2] since the doc need to be corrected. >> >> [1] https://docs.wso2.com/display/ADMIN44x/Enabling+HostName+Verification >> [2] https://wso2.org/jira/browse/DOCUMENTATION-4071 >> >> thanks >> Nuwandi >> >> On Wed, Aug 16, 2017 at 5:39 PM, Farasath Ahamed <farasa...@wso2.com> >> wrote: >> >>> >>> >>> >>> On Tue, Aug 15, 2017 at 8:22 PM, Farasath Ahamed <farasa...@wso2.com> >>> wrote: >>> >>>> Tested with Kernel 4.4.16, -Dhttpclient.hostnameVerifier=AllowAll >>>> parameter is honoured and worked fine. >>>> >>> >>> I had an offline discussion with Chandana and Thusitha and go to know >>> that *-Dhttpclient.hostnameVerifier=AllowAll* is not supported in >>> kernel as of now (upto 4.4.16) and will be supported in 4.4.17. Therefore >>> my earlier conclusion saying that kernel 4.4.16 parameter is honoured is >>> incorrect. But our documentation says that we support this from 4.4.11 >>> which need to be corrected immediately :) >>> >>> But going throught the startup script we do have a parameter >>> *-Dorg.wso2.ignoreHostnameVerification=true* in kernel 4.4.16. Did a >>> quick search and this parameter was used in Kernel 4.4.6 to disable >>> hostname verification. Therefore I think that is how I was able to get my >>> scenario working with a hostname without changing certs (ie. turn off >>> hostname verification). >>> >>> But even though we have the necessary fixes to support >>> *-Dhttpclient.hostnameVerifier=AllowAll >>> *in kernel 4.4.17 with commons-httpclient_3.1.0.wso2v6 orbit it doesn't >>> seem to honour the *-Dhttpclient.hostnameVerifier *parameter. >>> >>> I did a quick debug with commons-httpclient_3.1.0.wso2v6 and the method >>> to verify hostname[1] was never hit :( >>> >>> >>> [1] https://github.com/wso2/wso2-commons-httpclient/blob/v3. >>> 1.0-wso2v6/commons-httpclient/src/main/java/org/apache/commo >>> ns/httpclient/protocol/SSLProtocolSocketFactory.java#L286 >>> >>> >>>> >>>> Farasath Ahamed >>>> Software Engineer, WSO2 Inc.; http://wso2.com >>>> Mobile: +94777603866 >>>> Blog: blog.farazath.com >>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>> <http://wso2.com/signature> >>>> >>>> >>>> >>>> On Tue, Aug 15, 2017 at 7:58 PM, Harsha Thirimanna <hars...@wso2.com> >>>> wrote: >>>> >>>>> >>>>> >>>>> On 15 Aug 2017 7:43 pm, "Farasath Ahamed" <farasa...@wso2.com> wrote: >>>>> >>>>> Tried to do $subject following [1] on a IS 5.4.0-SNAPSHOT pack with >>>>> kernel 4.4.17-SNAPSHOT. I still see hostname validation errors after >>>>> running the server with, >>>>> -Dhttpclient.hostnameVerifier=AllowAll >>>>> >>>>> >>>>> You don't get this error with the IS pack with kernal 4.4.16 ? Could >>>>> you please check that Farasath ? >>>>> Then we can isolate this. >>>>> >>>>> >>>>> >>>>> [2017-08-15 19:36:52,561] ERROR >>>>> {org.apache.catalina.core.StandardWrapperValve} >>>>> - Servlet.service() for servlet [default] in context with path >>>>> [/authenticationendpoint] threw exception >>>>> java.io.IOException: javax.net.ssl.SSLHandshakeException: >>>>> java.security.cert.CertificateException: No name matching idp.wso2.com >>>>> found >>>>> at org.apache.jasper.servlet.JspServletWrapper.service(JspServl >>>>> etWrapper.java:467) >>>>> at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServl >>>>> et.java:395) >>>>> at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339) >>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>> lter(ApplicationFilterChain.java:303) >>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>> licationFilterChain.java:208) >>>>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte >>>>> r.java:52) >>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>> lter(ApplicationFilterChain.java:241) >>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>> licationFilterChain.java:208) >>>>> at org.apache.catalina.core.ApplicationDispatcher.invoke(Applic >>>>> ationDispatcher.java:743) >>>>> at org.apache.catalina.core.ApplicationDispatcher.processReques >>>>> t(ApplicationDispatcher.java:485) >>>>> at org.apache.catalina.core.ApplicationDispatcher.doForward(App >>>>> licationDispatcher.java:410) >>>>> at org.apache.catalina.core.ApplicationDispatcher.forward(Appli >>>>> cationDispatcher.java:337) >>>>> at org.wso2.carbon.identity.application.authentication.endpoint >>>>> .util.filter.AuthenticationEndpointFilter.doFilter(Authentic >>>>> ationEndpointFilter.java:161) >>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>> lter(ApplicationFilterChain.java:241) >>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>> licationFilterChain.java:208) >>>>> at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilte >>>>> r(HttpHeaderSecurityFilter.java:124) >>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>> lter(ApplicationFilterChain.java:241) >>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>> licationFilterChain.java:208) >>>>> at org.apache.catalina.core.StandardWrapperValve.invoke(Standar >>>>> dWrapperValve.java:218) >>>>> at org.apache.catalina.core.StandardContextValve.invoke(Standar >>>>> dContextValve.java:110) >>>>> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(A >>>>> uthenticatorBase.java:506) >>>>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHo >>>>> stValve.java:169) >>>>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo >>>>> rtValve.java:103) >>>>> at org.wso2.carbon.identity.context.rewrite.valve.TenantContext >>>>> RewriteValve.invoke(TenantContextRewriteValve.java:80) >>>>> at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invo >>>>> ke(AuthorizationValve.java:91) >>>>> at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invo >>>>> ke(AuthenticationValve.java:60) >>>>> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInv >>>>> ocation(CompositeValve.java:99) >>>>> at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke >>>>> (CarbonTomcatValve.java:47) >>>>> at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(Tena >>>>> ntLazyLoaderValve.java:57) >>>>> at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invok >>>>> eValves(TomcatValveContainer.java:47) >>>>> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(Comp >>>>> ositeValve.java:62) >>>>> at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetection >>>>> Valve.invoke(CarbonStuckThreadDetectionValve.java:159) >>>>> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogVa >>>>> lve.java:962) >>>>> at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve. >>>>> invoke(CarbonContextCreatorValve.java:57) >>>>> at org.apache.catalina.core.StandardEngineValve.invoke(Standard >>>>> EngineValve.java:116) >>>>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd >>>>> apter.java:445) >>>>> at org.apache.coyote.http11.AbstractHttp11Processor.process(Abs >>>>> tractHttp11Processor.java:1115) >>>>> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler >>>>> .process(AbstractProtocol.java:637) >>>>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun >>>>> (NioEndpoint.java:1770) >>>>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(N >>>>> ioEndpoint.java:1729) >>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>>>> Executor.java:1142) >>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>>>> lExecutor.java:617) >>>>> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.r >>>>> un(TaskThread.java:61) >>>>> at java.lang.Thread.run(Thread.java:748) >>>>> Caused by: javax.net.ssl.SSLHandshakeException: >>>>> java.security.cert.CertificateException: No name matching idp.wso2.com >>>>> found >>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) >>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) >>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) >>>>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >>>>> ndshaker.java:1514) >>>>> at sun.security.ssl.ClientHandshaker.processMessage(ClientHands >>>>> haker.java:216) >>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) >>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) >>>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) >>>>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSo >>>>> cketImpl.java:1375) >>>>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>>>> java:1403) >>>>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>>>> java:1387) >>>>> at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsCli >>>>> ent.java:559) >>>>> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnectio >>>>> n.connect(AbstractDelegateHttpsURLConnection.java:185) >>>>> at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Ht >>>>> tpsURLConnectionImpl.java:153) >>>>> at org.apache.jsp.login_jsp._jspService(login_jsp.java:777) >>>>> at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) >>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >>>>> at org.apache.jasper.servlet.JspServletWrapper.service(JspServl >>>>> etWrapper.java:439) >>>>> ... 44 more >>>>> Caused by: java.security.cert.CertificateException: No name matching >>>>> idp.wso2.com found >>>>> at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.j >>>>> ava:221) >>>>> at sun.security.util.HostnameChecker.match(HostnameChecker.java:95) >>>>> at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509Trus >>>>> tManagerImpl.java:455) >>>>> at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509Trus >>>>> tManagerImpl.java:436) >>>>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509Trust >>>>> ManagerImpl.java:200) >>>>> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X50 >>>>> 9TrustManagerImpl.java:124) >>>>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >>>>> ndshaker.java:1496) >>>>> ... 58 more >>>>> >>>>> >>>>> Is the information in [1] still valid? >>>>> >>>>> Chandana pointed out there has been a http client version upgrade in >>>>> Kernel 4.4.17. Could this be a reason for this? >>>>> >>>>> >>>>> [1] https://docs.wso2.com/display/ADMIN44x/Enabling+HostName >>>>> +Verification >>>>> >>>>> >>>>> Thanks, >>>>> Farasath Ahamed >>>>> Software Engineer, WSO2 Inc.; http://wso2.com >>>>> Mobile: +94777603866 >>>>> Blog: blog.farazath.com >>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>> <http://wso2.com/signature> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> Dev@wso2.org >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>>> >>>> >>> >>> _______________________________________________ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> >> Best Regards, >> >> Nuwandi Wickramasinghe >> >> Software Engineer >> >> WSO2 Inc. >> >> Web : http://wso2.com >> >> Mobile : 0719214873 >> > > > > -- > *Kishanthan Thangarajah* > Technical Lead, > Platform Technologies Team, > WSO2, Inc. > lean.enterprise.middleware > > Mobile - +94773426635 <+94%2077%20342%206635> > Blog - *http://kishanthan.wordpress.com <http://kishanthan.wordpress.com>* > Twitter - *http://twitter.com/kishanthan <http://twitter.com/kishanthan>* > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Thanks, Shariq Associate Technical Lead
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
